Splunk → Microsoft Sentinel — the 90-day migration playbook

Pawan Sharma Published 11 Jun 2026  ·  By Pawan Sharma  ·  SIEM  ·  14 min read

Splunk → Microsoft Sentinel migration is one of the highest-frequency engagements we run in 2026. The drivers are licence-cost (Splunk per-GB pricing has shifted; Sentinel's M365 E5 ingest benefit is structural), Microsoft-stack consolidation, and SOC analyst productivity (Defender XDR-native correlation). This post is the 90-day playbook — what to migrate when, the parallel-run shape, the detection-rule re-authoring approach, the cost math, and the team-side change-management that matters more than the technical work.

90 days

Mid-market migration

For standard 100-300 GB/day, 50-150 source types. Larger estates 6-12 months.

~₹0.7-1.0 cr

Sentinel TCO/year

200 GB/day, with M365 E5 ingest benefit. vs Splunk ES ₹1.8-2.5 cr/year.

5-8 months

Payback period

Services + first-year licence vs Splunk annual savings.

SPL → KQL

Detection re-author

Uncoder.io first pass; senior analyst review every rule.

The 90-day playbook

1

Days 1-15 — Foundation + data-source inventory

Sentinel workspace in Central India. Connect Microsoft 365 + Defender XDR + Entra + Defender for Cloud first (zero-config + free ingest). Inventory existing Splunk data sources — type, daily GB, retention, criticality. Build the migration waterfall.

2

Days 16-30 — High-volume source onboarding

AWS / Azure / GCP cloud sources via native Sentinel connectors. Firewall + endpoint telemetry via syslog / CEF / API. Begin parallel ingest — Splunk + Sentinel receive same data.

3

Days 31-45 — Detection rule re-authoring

Uncoder.io SPL → KQL first pass on the production detection library (typically 200-600 rules for mid-market). Senior analyst review + KQL idiom corrections + Sentinel analytics-rule creation. Defender XDR-native rules drop from custom-author list — they ship out of the box.

4

Days 46-60 — Logic Apps playbooks + integrations

SOAR-style playbooks: Defender XDR auto-isolate, Entra account disable, ServiceNow / Jira ticket creation, Teams alert posting. Migrate Splunk SOAR / Phantom workflows; Python-heavy ones re-author as Azure Functions invoked by Logic Apps.

5

Days 61-75 — Parallel-run + tuning

Both Splunk + Sentinel running. Compare detection volume, true-positive rate, MTTR per incident. Tune Sentinel rules with false-positive feedback. KQL training for tier-2 analysts.

6

Days 76-90 — Cutover + Splunk retirement

Sentinel as primary SIEM. Splunk to read-only archive retention. Decommission ingest-side Splunk infrastructure. Final cost-realisation report; Copilot for Security pilot enrolment.

SPL → KQL — what re-authoring looks like

The translation isn't 1:1 but the pattern is

~70% of typical Splunk SPL queries translate cleanly via Uncoder.io; the rest need analyst review

Splunk SPLSentinel KQL
index=firewall sourcetype=cisco_asa action=allow | stats count by src_ipCiscoASA_CL | where DeviceAction == "allow" | summarize count() by SrcIP
| eval threat_score=case(...)| extend threat_score=case(...)
| lookup users.csv user OUTPUT department| lookup kind=leftouter (Users) on user
| timechart span=1h count| summarize count() by bin(TimeGenerated, 1h)
Multi-search lookups with subsearchesKQL let bindings + union — analyst review
Custom Splunk macros / modelsKQL functions; complex models re-architect

Uncoder.io is the open-source translator we use as the first pass. ~70% of typical SPL queries get a working-state KQL out the gate. The remaining 30% — mostly multi-search + custom-macro patterns — gets senior-analyst attention. Build budget for ~5-10 person-days per 100 rules in re-authoring.

The TCO math — 200 GB/day mid-market

Line itemSplunk ES (200 GB/day)Sentinel (200 GB/day, M365 E5)
Ingest / licence (annual)~₹1.5-2.0 cr~₹0.4-0.6 cr (commit tier 200 GB/day; M365 sources offset)
Infrastructure (cloud / on-prem)~₹15-30 lakhBundled in Azure
SOAR / Phantom licence~₹15-30 lakhLogic Apps consumption ~₹1-3 lakh/year
Operations + support~₹15-25 lakh~₹10-15 lakh
Total annual~₹1.8-2.5 cr~₹0.7-1.0 cr
One-time migration services~₹35-65 lakh

Ranges depend on actual workload, retention, commit-tier, India channel pricing. The M365 E5 ingest benefit (100 MB/user/day FREE) is the structural lever — without it the Sentinel side runs ~30-50% higher.

Change management — the under-budgeted line

KQL training in week 1

Microsoft Learn KQL paths + Sentinel hands-on labs. Tier-2 + Tier-3 analysts spend 2-3 days. The ramp is faster than expected if started early.

Senior SPL analysts as co-owners

Bring them into the detection-rule re-authoring as authority figures, not subjects. Their SPL fluency becomes detection-quality leverage on the Sentinel side.

Defender XDR-native rules are an easy win

Many of the highest-value Splunk rules (lateral movement, credential theft, brute-force) ship out of the box in Defender XDR + Sentinel. Don't re-author what's free.

Copilot for Security at day 90+

KQL co-author is the bridge that gets SPL analysts to KQL fluency faster. Pilot Copilot once Sentinel is stable, not before.

FAQ

Is a 90-day Splunk → Sentinel migration realistic for production?
For mid-market with a defined set of data sources (50-150 source types, 100-300 GB/day) — yes. Large enterprise multi-year Splunk deployments with custom apps + ML models take 6-12 months. The 90-day playbook is for the standard mid-market case, where the ROI clock matters.
What's the riskiest part of the migration?
Detection-rule parity. Splunk SPL queries don't 1:1 translate to KQL. You re-author your detection library — and that's the work. We use Microsoft's open-source Uncoder.io translator as a first pass; tier-2 senior analyst review on every rule before production.
Do we run parallel during cutover?
Yes. 30-day parallel run with both Splunk + Sentinel ingesting same sources. Compare detection volume + true-positive rate + investigation experience. Sentinel-only after 30-day stable window.
What about Splunk SOAR / Phantom workflows?
Migrate to Logic Apps playbooks in Sentinel. The native ones (Defender XDR auto-isolate, Entra account disable, Sentinel incident assignment) are 1:1 mappable. Custom Python-heavy SOAR workflows require re-authoring — typically the longest tail of migration.
Historical data — do we need to migrate Splunk history?
Most teams don't. Splunk archive remains for compliance retention; Sentinel starts fresh. Audit-trail continuity is preserved by retaining Splunk read-only access for the audit-retention window.
Cost — what does a 90-day Sentinel migration cost?
Mid-market typical: ₹35-65 lakh services + first-year Sentinel licensing. ROI math: Splunk Enterprise Security at 200 GB/day runs ₹1.8-2.5 cr/year; Sentinel at same volume with M365 E5 ingest benefit runs ₹0.7-1.0 cr/year — payback in 5-8 months.
What's the biggest non-technical risk?
Analyst team loyalty to SPL. Tier-2 / Tier-3 analysts who have spent years building SPL fluency feel slowed down by KQL for 30-60 days. Plan KQL training in week 1; bring senior Splunk users into the detection-rule re-authoring as co-owners. Cultural change > technical change.
Where does Copilot for Security fit?
After Sentinel is stable. Day-90+ — Copilot for Security pilot to bridge the KQL fluency gap and accelerate detection-rule maturation. Particularly powerful as the productivity multiplier for analysts coming off SPL.

Free Splunk → Sentinel migration assessment

Your data-source inventory, your detection library, your INR + GST TCO + 90-day plan

Ogma audits your Splunk deployment — sources, rule count, SOAR workflows, daily GB, retention — and returns a 90-day migration plan with INR / GST TCO, detection-rule re-authoring estimate, and parallel-run shape. CSP partner — Sentinel licence + services on a single INR contract.

Request the migration assessment or explore the Sentinel pricing landing

Sources

Related: Sentinel vs Splunk decision · Sentinel pricing math · Copilot for Security rollout

Stay ahead of cyber threats

One short email a week — curated Indian cybersecurity news, Fortinet releases, DPDPA updates. No fluff.

Related Posts

Microsoft Sentinel pricing in India — INR by ingestion tier

Sentinel pricing model with INR + worked example for 200 GB/day, the 4 cost levers, and the E5 ingestion-benefit math.

Splunk → Microsoft Sentinel — the 90-day migration playbook

Splunk to Sentinel 90-day playbook — data source waterfall, SPL→KQL re-authoring, Logic Apps SOAR, parallel-run...

Microsoft Sentinel vs Splunk — when each wins in Indian BFSI and SaaS

Sentinel vs Splunk — capability comparison, bundling economics, TCO sketch + migration shape for Indian enterprise.

Search
Talk to an Expert

Get a free consultation from Ogma's certified IT & cybersecurity engineers.

Get in Touch
Cato Firewall as a Service
Cato ZTNA — Zero Trust Network Access
Cato SASE Solution